Ever gotten a notice in the mail that read, something to the effect of, “by law, we’re required to inform you that since our infrastructure passwords were extremely weak, such as “password” and “123456,” a data breach has occurred and your personal information may or may not be in the hands of Russian hackers for sale somewhere in the deep web?”

Well, maybe not that forthcoming, but you know what I’m talking about. When it comes to data network security breaches, there are laws which specifically require an organization to disclose to its customers whenever there has been such a data breach. These laws go far beyond the ubiquitous Health Insurance Portability and Accountability Act, better known as HIPPA.

For instance, here in Arizona, under Revised Statute § 44-7501, (Conditionally Rpld.) it requires a person that conducts business in this state who becomes aware of a data breach shall conduct a reasonable investigation and after determining a breach in the security system shall notify all individuals affected.[1] Simply put, organizations are required, by law, to disclose the breach, make remedies to resolve it, and can be held responsible for any damages thereof.

Oftentimes, these data network security breaches and subsequent notifications will be accompanied with a free offer for credit monitoring. As a consumer, you should absolutely take it, if you aren’t’ already monitoring your credit through some other third party.

First and foremost, if you discover a data network security breach within your firm, promptly notify your clients and provide measures to protect their interests. More importantly, as an organization, there are several steps you can take to avoid such data network security breaches. Some are as simple as requiring strong password policy. Others include keeping your data stored in a secured, locked environment with very restricted access.

Password Policies

As both an end-user and as an administrator, I know how frustrating complex password policies can be. Yes it’s pain to have a password that must contain 1 uppercase letter, 1 lowercase letter, 1 symbol, 1 number, that cannot be anything you’ve ever used before and cannot have successive numerical values. However, that complexity exists for a reason. Hackers are well aware of the most commonly used password, such as “123456” followed by “password.”[2]

The folks at Microsoft recommend you “set password policy to require complex passwords, which contain a combination of uppercase and lowercase letters, numbers, and symbols, and are typically a minimum of seven characters long or more for all accounts, including administrative accounts, such as local administrator, domain administrator, and enterprise administrator.”[3]

However, consequently, when employees are required to change passwords often, meet minimum complexity requirements, and not repeat a password for a minimum amount of time, they may begin to break the rules and start writing passwords down simply because they cannot remember passwords that change so often.[4] Bottom line, design a password policy that is secure but doesn’t comprise functionality.

Data Network Security Breaches and Notification Laws

End-User Training

Many folks within an organization, while balking at having to change passwords regularly, simply do not understand the reasons behind it or the risks they attempt to advert. To that end, it would be wise for your IT staff to train end-users on why and how to keep their passwords unique and safe. Once employees discover their organization can be levied a hefty fine which may result in cutbacks as a consequence thereof, I’m sure the loudest of the balkers will begin to change their tune.

End-user training can be as simple as memo sent to employees requiring them to read, sign, and return to management. Alternatively, a once a year run-down presented by IT staff during a mandatory meeting should suffice for larger organizations.

Restricting Access

Your organizations most sensitive client data should be restricted to a need-to-know basis. If there is no need for the receptionist to access client information, then by all means create a security clearance group policy that only allows access to sensitive drives to those who truly require it.

Is your server room open to anyone at the firm? If so, quite frankly, you’re doing it wrong! I don’t care if there are 2 people in your firm, if one doesn’t need access to drives containing sensitive data, then by all means keep that access restricted. Unfortunately, many organizations have the “it’ll never happen to us” mentality that ultimately comes back to bite them in the end. Remember Target? Ever heard of the Panama papers?

Data Network Security Breaches and Notification Laws

Conclusion

Data security is your responsibility. Be not only aware of the legal obligations for your firm’s clients, but for anyone who does business with your organization. Develop corresponding IT policies and procedures to avoid liability that can possibly be the death knell of your organization.

It started with an early Sunday morning phone call. A senior equity partner who writes whenever and wherever inspired complained, “I’m getting an error whenever I try to open Word or PDF documents.” Two hours, and a trip into the office later, we erroneously concluded our case file folder had been corrupted from an unsuccessful backup and a simple scan/repair job would have us back up and running.

Unfortunately, while the scan/repair utility sifted its way through 1.5 terabytes of files, a more destructive tool was worming its way through our network shares as well. It wasn’t until another partner emailed late Sunday evening to inquire about strange file names like “HELP_DECRYPT” saved in his case directory did we realize we had a more serious problem on our hands. We’d been struck by the CryptoWall 3.0 ransomware virus! (Que Scary Music!)

What is CryptoWall 3.0?

“CryptoWall is “the largest and most destructive ransomware threat on the Internet “at the moment and will likely continue to grow.[1] Essentially, CryptoWall, an evolution from CryptoLocker, uses malware to copy and encrypt commonly used office file extensions, then deletes the original, leaving victims little or no options beyond paying a ransom or losing the ability to recover their files. In a law firm, losing client data, past and present, simply isn’t an option. In our case, the ransomers wanted $700 to supply the key to decrypt our files! Though we had roughly triple that amount in lost productivity and billable hours fixing this mess, negotiating with terrorist simply wasn’t an option! However, fortunately, if your organization has a cold backup the likelihood of recovery drastically increases.

When we investigated just how much the virus purveyed through our network, we noticed it was centralized in the heart of our operation, client case files, and law firm application data shares. Though we knew we had cold back-ups to restore from, we didn’t know if the virus had stopped spreading or even know where it originated. The last thing we wanted to do was to restore our files only to have them encrypted all over again!

$700 Ransom only doubles with time!

Identifying the Source of the Virus

Once you notice your organization has been affected by CryptoWall, some engineers suggest you power down your network switch to prevent spreading. While this works for smaller networks, it may not be feasible, especially for larger organizations. I would simply suggest modifying share permissions to critical shared drives to prevent infected machines from writing to those drives and further spreading. Unfortunately, there is no administrator level method to determine which machine the virus originated from. I had to walk around to each and every machine in the law firm, install, and run applications such as MalwareBytes, Hitman Pro and ListCWall to scan, identify, and remove any locally infected files. Once we identified the source of the virus (HELP_DECRYPT files will appear locally), I scrubbed it clean and proceeded to delete and restore our files.

Restoring the Infected Files

There is something unnerving about deleting 1.5 terabytes of client files even when you know there is a backup, but it was necessary. Besides, all of it was utterly useless encrypted garbage at this point. After deleting, we used an application called Karen’s Replicator to replicate the cold backup drive to the previously infected share drive. It took approximately 2 days to restore 1.5 terabytes worth of data, but it worked, and so far, so good.

We also noticed that QuickBook files, both current, and backups were affected as well. Luckily, we were able to restore company files from previous routine bare metal Windows Server Backup.

How You Can Protect Your Network

The bottom line is this can happen to anyone. One erroneous click on the Internet, opening an attachment from even a trusted source whose email contacts have been compromised can unleash a world of hurt on law firms who increasingly rely on sensitive client data to operate. The more we embrace technology, the more vulnerable we become to it. Keeping end-users up-to-date with safe browsing practices is a start. TechRepublic has some great tips for keeping your network safe and avoiding the likes of CryptoWall 3.0.

Is Windows 10 MRPC Compatible?

Apparently, from the feedback I’m getting, Microsoft® finally got it right with Windows 10! As a legal technology professional I have been inundated with inquiries from attorneys on whether Windows 10 is worth the upgrade (even though it’s free), and if they should think about making the switch. My response has consistently been to wait.

First, like any new product I always suggest letting the manufacturer work out the kinks before jumping aboard. Similarly, like purchasing a new model year car, you never really want the first batch rolling off the assembly line. That said, after digging further under the hood, it appears there are other potential pitfalls with Windows 10 that could specifically leave attorneys on the wrong side of the rules of professional conduct!

What Windows 10 End User License Agreement Says

Apparently, Microsoft is following the footsteps of other “Big Data” mining companies and has gotten creative in their user terms and conditions. How creative you ask, well apparently creative enough to give Microsoft ingress to virtually any and all data you may have or had access to while using their operating system! This ingress gives Microsoft permission to track your location, activities, browser history, and more importantly, READ YOUR EMAILS! Further, there does not appear to be a way for less sophisticated users to disable these settings. This is why it’s so important to be aware of what’s in that End User License Agreement.

Moreover, as pointed out by Daily Kos, Microsoft’s privacy policy specifically states the following:

Finally, we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have a good faith belief that doing so is necessary to:

comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;

protect our customers, for example to prevent spam or attempts to defraud users of the services, or to help prevent the loss of life or serious injury of anyone;

operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or

protect the rights or property of Microsoft, including enforcing the terms governing the use of the services – however, if we receive information indicating that someone is using our services to traffic in stolen intellectual or physical property of Microsoft, we will not inspect a customer’s private content ourselves, but we may refer the matter to law enforcement.[1]

What the Model Rules of Professional Conduct Say

Generally, under Model Rules of Professional Conduct (MRPC) Rule 1.6, a lawyer is prohibited from revealing any information related to the representation of a client. Either voluntarily or involuntarily, unless informed consent is given by his/her client.[2] Recently, the New York State Bar specifically addressed this very conceivable dilemma in its Opinion 782, which addressed inadvertent confidential data disclosures through email, opining in part that, “a lawyer must exercise reasonable care to ensure that he or she does not inadvertently disclose his or her client’s confidential information.”[3]

Though some disclosures are unavoidable, under MRPC 1.6, where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” is permitted, however an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to any form of data transmission. One could arguably say that since there is little control over the settings that control the data sharing in Windows 10, or since the data mining is customary a lawyer should be in the clear, right? Wrong. The model rules consistently say attorneys should take reasonable steps to protect a client’s data at all times. This includes everything from choosing to forgo using Windows 10 all together, to familiarizing yourself with ways to prevent data ingress.

What Can You Do About It?

By now, I’m sure you’re thinking, it’s probably just not worth using Window’s 10 if you want to remain MRPC 1.6 compliant. I would tend to agree, especially at this stage when little is known about the vastness of Microsoft’s data mining. However, for those who have already made the switch, there are some options. As Jacob Siegal noted, a simple program called “The Windows Club” allows users to tweak Windows 10 in order to disable some pervasive features such as user tracking, telemetry, and hiding your network from others.[4] Additionally, I would not recommend integrating the same email address used for client data with the operating systems if prompted. Simply put, keep your business email separate from Windows 10 operating system. Of course, if you use an email client such as Outlook, this may be unavoidable. However, I’m specifically referring to the prompt for your email address when initially setting up the operating system. Either avoid supplying an email address all together, or if unavoidable, use an email address not associated with clients. Alternatively, to completely protect your neck, consider weaving in the possibility of ostensible third party data disclosures through the use of operating systems or cloud based data into your fee agreement.

Conclusion

The bottom line, use caution when implementing a new operating system, and use your best judgment when integrating your firm’s email with your operating system. Even with Windows 8, Microsoft wanted to link your email address to your operating system. Personally, I use Outlook Web App (OWA) for sending/receiving email to avoid using native programs such as Outlook. With today’s web (cloud) based email, virtually all the functionality of an email client is built right in. Of course, Ethical Compliance and Cloud Services for Law Firms is a whole other issue, but this generally means that one has taken reasonable steps to protect client data from being shared. This is really all you can do in order to be MRPC Rule 1.6 compliant.

You know the old saying, “do the crime, forfeit your constitutional rights for eternity?” No, well neither have I. However, in many jurisdictions, both state and federal, there are laws that abolish certain constitutional rights once a person has been convicted of ANY felony. Here in the United States, felonies are considered crimes punishable by incarceration of more than one year in a state or federal prison, and misdemeanors are considered crimes punishable by local jail sentences, fines, or both.[1] Moreover, once a person is convicted of a felony, whether they served time in prison or not, they are forever referred to as a “felon.” Here, we’ll discuss what’s involved in restoring your rights as convicted felon.

Once convicted, a felon loses many basic rights such as, the right to hold public office, exclusion from jury duty, the right to possess a firearm, and more importantly, the right to vote. Exclusion from sitting on a jury is generally a lifetime ban and little headway has been made in restoring this privilege. Further, the ban on firearm possession is codified under US federal law (18 U.S.C. § 922(g)) and prohibits felons from owning firearms, unless that specific right has been restored. With regards to the right vote, it generally varies by jurisdiction. Most states allow voter right restoration after a period of time or completion of probation or parole, however three states, Virginia, Florida, and Kentucky have lifetime bans on a felons right to vote absent approval from the state’s Governor.[2]

Restoring Your Gun Rights as a Convicted Felon

How To Restore Your Rights as a Convicted Felons

When it comes to restoring rights, whether it be the right to vote, or the right to possess an own a firearm, many people convicted of felonies simply aren’t aware of the steps required to do so. As someone who canvasses door-to-door during election cycles, I can’t tell you how many times I heard the phrase, “I’m a felon, I can’t vote” from residents. Some use it as an excuse to disengage from the political process, while most see it for it is, voter disenfranchisement. The bottom line is, if you want your rights restored, you have to seek out the info in order to do it. Thankfully, sites like http://www.procon.org/make it simple by listing the requirements for each and every state. Simply find your state, click the link, and follow the directions. You don’t need a lawyer, just a printer to print off the forms, fill them out and submit them to the clerk of the court for your county.

When it comes to restoring your rights as a convicted felon, there are some extra requirements, such as knowing the specific dates of your conviction, or providing the discharge paperwork from the state or federal correctional institute if you were incarcerated. However, chances are, if you’re reading this, you’re smart enough obtain that readily available information. Here in Arizona, you can petition the court to restore your civil (voting) rights, gun rights, and request that your judgment be set aside all in the same form! When applying for the restoration of your gun rights, you’ll have to provide the court a brief explanation of why you’re requesting the right to possess or own a firearm. Usually, by stating you would like to own a firearm to protect your home will be sufficient.

Conclusion

So when it comes to restoring your rights as a convicted felon, remember, you don’t have to forfeit your constitutional rights for eternity, you just have to jump through some well-placed hoops in order to do so. Since 30% of Black men, and nearly 25% of Hispanic men and roughly 5.8 million people overall have felony convictions, many major elections may have had different outcomes if allowed to vote.[3] Moreover, it’s estimated that felons whose right to vote is restored are at least 2/3rds less likely to return to prison![4] So if you’ve been convicted of a felony, or know someone who has, please share this information on restoring your rights as a convicted felon.

[1] What Is a Felon and What Is a Felony? – Felon Voting – ProCon.org, , http://felonvoting.procon.org/view.answers.php?questionID=000644 (last visited Apr 2, 2015).

Prosecutors can get a grand jury to indict a “ham sandwich” as the famous New York Chief Judge Sol Wachtler once said.[1] If that’s the case, why has it been so hard to get an indictment over police officers blatantly accused of wrongdoing lately? Well let me explain. It’s almost like a Doctor who can’t do his job without nurses. If the Doctor gets his nurses fired, chances are, going forward; nurses will not be overly helpful in making sure the Doctor can get his job done. Similarly, prosecutors have reciprocal relationships with police officers in the jurisdictions they serve. If police feel a certain prosecutor is out to the get them there is the possibility of evidence being lost, warrants not being served correctly, and forgetting to show up and testify in court! Given the recent inability of prosecutors to sway grand juries to indict police misconduct, many are left wondering what can be done to address this increasing problem. Let us discuss prosecutors who can’t seem to indict a ham sandwich and why.

The Facts

According to the Bureau of Justice Statistics, “U.S. attorneys prosecuted 162,000 federal cases in 2010, the most recent year for which we have data. Grand juries declined to return an indictment in 11 of them.”[2] I was no math major, but if my calculator serves me correctly, only .067 percent of indictments result in a “no true bill” which is where a grand jury fails to indict. Unfortunately, no specific national data exists for grand jury investigations on police officers, however there are numbers for specific districts. For example, “[i]n the 81 grand jury investigations of police shootings in Dallas between 2008 and 2012, only 1 decided to indict.”[3]

As it stands, the proportion of general population defendants actually charged with a crime versus law enforcement officers charged with a crime is at about 2 to 1.[4] Simply put, if you’re a police officer accused of a crime you have a 50% chance of not being charged for that crime compared to civilians.

Police are 50% less likely to be charged for a crime compared to civilians.

The Cato Institute’s report on National Police Misconduct shows that there were 4,861 unique reports of misconduct in 2010, including 127 fatalities associated with excessive force.[5] Further, a recent report issued by the Department of Justice on the Cleveland Police Department’s use of force shows that there is a consistent use of unreasonable force in the majority of its shootings. If police know that – statistically speaking – they are less likely to be held accountable for their action opposed to their civilian counterparts, nothing will curb this behavior outside of legislative intervention. Excessive force is the most prevalent and most consistent complaint against officers across the nation.

4,861 unique reports of misconduct in 2010, including 127 fatalities

What Can Be Done?

There is a general consensus among legal minds that the appointment of “special prosecutors” who work independently within the office of state attorney generals would be the most ideal option. “The special prosecutor’s responsibilities should be limited to the oversight, investigation and prosecution of police or public official misconduct, keeping them independent from other policing functions.”[6] Doing so would eliminate the “special bond” and working relationship prosecutors and police agencies currently share. Let’s face it, no one wants to see their colleagues go to prison , let alone be the one who sends them there for something that occurred during the course of their employment.

The use of special prosecutors is hardly new, however the appointment of one is typically decided on a case by case basis. By establishing an independent office solely responsible for police oversight, it removes the scenario of the police policing themselves. However, as with anything related to government there is always a concern for costs. As Joshua Deahl noted, the benefits far outweigh the costs. By establishing a specific office to investigate and prosecute police misconduct, it would save state governments the added cost of paying private legal fees. He noted, “[s]pecial prosecutors picked for a single investigation have little incentive to contain costs.”[7] Just as an example, taxpayers in Cook County, IL had to pick up a $1 million legal bill “when a high-profile lawyer was appointed to handle the prosecution of former Chicago Mayor Richard Daley’s nephew for his role in a bar fight that left a man dead.”[8]

Of course any changes would need to be implemented at the state level. State lawmakers take note; because there is already proposed legislation with bi-partisan support in Missouri aimed at requiring special prosecutors to head up all investigations involving officers and fatal shootings.[9] Though there is bi-partisan support, expect push-back from existing elected prosecutors and prosecutor associations. Many will contend state constitutional separation of power requirements forbids special prosecutor offices at the executive level. However, any notion that this hasn’t been done before is hogwash. The precedence of special prosecutors stems all the way up to the U.S Justice department down to state and local governments. This can be done, or at least the conversation can be started. My suggestion is that those who share the concerns of prosecutorial bias also reach out to their legislators and demand action at the state level.

Replacing Prosecutors Who Can’t Indict a Ham Sandwich

Conclusion

We can eliminate inner-office bias by simply removing the responsibility of garnering indictments from existing prosecutors who consistently work with police agencies facing charges. I completely understand the rock and hard place scenario these prosecutors are faced with. However, given the fact that so many citizens are losing their lives at the hands of police officers with little or no recourse, there must be ramifications for over-zealous officers to be aware of. The focus should be on replacing prosecutors who can’t indict a ham sandwich by appointing an independent agency responsible for greater police oversight. Please share and give feedback on ways to curb jurisdictional bias.

Chances are, if you haven’t heard of the cloud, your head is probably in it! Today, cloud computing is becoming an essential element of personal and professional technology use. From our smartphones to our computers, both are increasingly becoming synchronized with cloud backup systems. From solo attorneys to big-box law firms, many are embracing cloud-based applications and backup options as a way of doing business. Here, we’ll discuss ethical compliance and cloud services for law firms.

You should be aware there are different platforms of cloud computing. Specifically, cloud computing is characterized as “large groups of remote servers networked to allow centralized data storage and online access to computer services or resources.”[1] The two main components of cloud based services boil down to data storage and applications that run locally but are processed in the cloud. It’s what those in the business refer to as Infrastructure as a Service (IaaS) and Software as a Service (SaaS)respectively . The history of cloud computing dates back to 1969 but “since the internet only started to offer significant bandwidth in the nineties, cloud computing for the masses has been something of a late developer.”[2] The concept gained industry notoriety in 2006 when Amazon first developed its Elastic Compute Cloud (EC2) model as the first commercial internet service allowing small businesses and individuals alike the ability to rent computers to run their own computer applications.[3]

Cloud Computing for Law Firms

For the most part, most cloud based application services offered to solo and small firms fall in the SaaS category. [4] Think of Clio, Rocket Matter, My Case, and Amicus cloud based case management platforms. However, many law firms and solo’s alike who don’t use SaaS based platforms have begun to use IaaS based platforms whether they know it or not. For instance, most iPhone users use iCloud to back up their devices even if not specifically intending to do so. Often times, when setting up a newly purchased iDevice, the setup steps require an iTunes log-in info. By doing so, iUsers inadvertently agree to have their digital content backed-up to Apples Cloud based storage. Don’t get me wrong, having a backup of your device’s content can be a Godsend if your device is lost or stolen. However, if you’re a lawyer who receives client related email or text messages on your phone, you just put confidential client information in a medium you neither are aware of, nor have control over.

Ethics Rules Possibly Affected by Cloud Computing

Under rule 1.1 of the Model Rules of Professional Conduct, the duty to “provide competent representation to a client” includes the duty to comprehend the cloud based technology services being used along with the duty to obtain client consent, and some cases the duty to counsel the client with regards to the use of cloud services in connection to representation. [5] Many states bar ethics committees have released opinions which generally permit attorneys to use “web-based storage services (like Google Docs and Dropbox) provided that the attorneys take reasonable steps to ensure their information is secure and not shared with third-parties.”[6]Given recent data breaches involving celebrity photos, cloud data security vulnerability is a very real possibility and should be paid close attention to. Moreover, if you aren’t even aware your client’s confidential information is being stored in the cloud, you certainly cannot claim to have taken reasonable steps to ensure their information is secure. To avoid any uncertainty, attorneys should be cognizant of what data is being backed up and where. Reasonable steps would include; routinely monitoring End User License Agreements, ascertaining where cloud providers store data, and keeping abreast of their retention policies.

Under, Rule 1.6, which includes an attorney’s duty to “exercise reasonable care to prevent . . . others whose services are utilized by the lawyer from disclosing or using confidential information of a client, comes another set of cloud related responsibility. “[7] Though some disclosure is permitted under RPC 1.6 where “the disclosure is impliedly authorized to advance the best interest of the client and is either reasonable under the circumstances or customary in the professional community,” an attorney should always know what the data is, where it’s located, and who has access to it. Granted these rules were designed to regulate traditional vendors such as storage facilities or copy services, they are also relevant to cloud computing as well.[8] Bottom line, cloud data storage is ethical so long as attorneys take “reasonable care to ensure the system is secure and the client confidentiality is maintained.”[9]

Under Rule 1.15, a lawyer has a duty to maintain and preserve client records and deliver them promptly upon request. Consequently, this applies to digital records kept locally and those maintained in the cloud, and making sure those files aren’t lost, stolen, or destroyed. Presumably, by using cloud-based backup services, you’re more than likely exercising the requisite reasonable efforts to maintain and preserve client records. Delivering client records upon request may be a sticking point for lawyers who use cloud based storage providers as we’ll get into next.

Pursuant to Rule 1.16, a lawyer has the “duty, upon termination of representation, to promptly deliver all papers and property to which the client is entitled,” which includes the work of cloud service providers.[10] Simply put, you must give the client all their files back after representation. However, if the cloud provider now legally owns the client’s digital content you uploaded, you can be in ethical violation of this rule. For instance, Google docs has a provision in their terms of service that states “when you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones.” To a layman it may appear that Google is seeking an ownership interest in the information you upload, however such licensing rights allow Google the ability store, transfer, and rewrite the data between multitudes of servers for backup purposes. To avoid RPC 1.16 pitfalls, I suggest understanding the terms of service between you and cloud providers.

Reasonable Precautions Attorneys Can Take to Ensure Client Info is Protected

There is a general consensus among ethic committees around the country that lawyers are ethically permitted to use cloud computing, however it should be noted that certain cases involving HIPAA, GLBA or FRCA may have additional restrictions. Overall, the general requirement is that lawyers take “reasonable precautions to ensure client information is protected from disclosure.”[11] Furthermore, the opinions all generally summate that attorneys will not be held as the guarantors of cloud based services. [12] As the New York State Bar Association put it, “the applicable standard is reasonable care, not strict liability,” and provided the following relevant guidelines attorneys should follow in exercising reasonable precautions. [13]

Stay on top of emerging technologies to ensure client information is safeguarded.

Research any cloud providers they are considering using to ensure the providers are well established, reputable, and have appropriate policies and practices to ensure that information is secure, properly handled, and backed up.

Take steps to ensure that the vendor and its personnel are competent to perform the tasks required.

Review all contracts and terms of service to ensure they comply with all ethical requirements.

Take steps to ensure that service contracts: (a) require the cloud provider to safeguard client information; (b) have appropriate provisions about the ownership of data, handling of subpoenas and other legal process, and notification of data breaches; and (c) have appropriate end-of-contract or termination provisions, including the ability to retrieve data regardless of the reason for termination and proper procedures for deleting data from the cloud.

Take steps to determine the geographical location of servers to ensure they are located in jurisdictions with adequate legal protections for data.

Take steps to ensure that data stored in the cloud is accessible when needed, even if the contract is terminated or the vendor goes out of business.

Protect against “end -user” vulnerabilities, such as the failure to use strong passwords or the use of unsecured Internet connections.

Notify clients in the event of a significant data security breach.[14]

Conclusion

If ever unclear about a potential ethical dilemma involving client data or otherwise, simply pick up the phone and call your state bar for guidance. After all, it’s what you pay yearly membership fees for. For those who lack the time to scour end user license agreements the makers of EULAlyzer have created free software that will scan end user license agreements specifically in search of inconspicuous language which unfairly binds users to unfair terms. Bottom line, if you can document that you’ve taken reasonable steps to safeguard your clients data you should be fine.

Can my email signature be forged? How about using an electronic signature on legally recognized documents? Both issues were recently presented to me by our senior equity partner at the law firm. My answers, yes & yes, but let me explain. It boils down to understanding Information Rights Management (IRM) and meeting the statutory requirements for using a legally recognized electronic signature.

Issue #1 Information Rights Management

When it comes to preventing email signatures from being altered, copied, or forwarded without authorization, an IRM policy must be implemented. Assuming we’re using an email client such as Outlook 2010 or newer, additional third party Microsoft credentials are required. Here’s how it works.

Information Rights Management (IRM) allows you to specify access permissions to email messages. IRM helps prevent sensitive information from being read, printed, forwarded, or copied by unauthorized people. After permission for a message is restricted by using IRM, the access and usage restrictions are enforced regardless of where the message goes, because the permissions to access an email message are stored in the message file itself.

IRM is generally implemented at the server level using Microsoft Exchange software. Alternatively, IRM is hosted on Microsoft servers by Microsoft for free, but requires a Microsoft Live ID (@hotmail.com email) to use. In order to utilize IRM internally, for example, a law firm would need one of the following: (1) running their own Microsoft Exchange server and managing it in-house, or (2) use a new or existing Microsoft Live ID (@hotmail.com ID) in conjunction with a firms existing hosted email to take advantage of IRM hosted for free on Microsoft servers. Clearly the latter is the most cost effective; however it would require several additional steps in sending an IRM equipped email.

Legally Recognized Electronic Signatures

Issue #2 Using Electronic Signature

Here in Arizona, under Arizona Revised Statutes, an electronic signature is defined as an electronic process that is attached to or logically associated with a record that is executed or adopted by an individual with the intent to sign the record. A.R.S § 44-7002
Furthermore, a signature is considered secure if, at the time it was made, and applied through a security procedure it is; (1) unique to the person using it, (2) capable of verification (3) under the sole control of the person using it, and (4) linked to the electronic record to which it relates in such a manner that if the record were changed the electronic signature would be invalidated. A.R.S § 44-7003

Generally speaking, an electronic signature can be any electronic means of indicating that a person adopts the contents of an electronic message. However, under A.R.S. § 44-7003, to qualify as a secure electronic signature, the operative requirement is element (4), the necessity to have ones identity validated through a third-party security certificate service. Such services are seemingly analogous to credit reporting agencies however solely for electronic identity. Currently, there are seven credentialing services customarily used throughout the industry. Those seven services include ARX CoSign, Avoco secure2trust, ChosenSecurity, Comodo, GlobalSign, My Credential, and VeriSign.

If your firm decides to implement a secure electronic signature digital ID, it is recommended you use a platform you may already be using. For instance, at our firm, we use Norton for anti-virus protection. It just so happens Norton is who issues VeriSign electronic signatures. A yearly subscription is required however, with a digital ID, a possessor would not only be able to securely sign electronic documents, but also send digitally signed emails which, in and of itself, constitutes a secure verified document. The process is fairly simple; a YouTube video explaining the process can be viewed here.

Conclusion

In conclusion, to protect email signatures from alteration, unauthorized copying and forwarding, a law firm has the option to implement Microsoft IRM services through the use of Microsoft Live ID accounts in lieu of costly in-house Exchange server management. Furthermore, secure electronic signatures pursuant to A.R.S § 44-7031, can be achieved through the use of digital ID’s validated through third-party security certificate services.

Has your personal property been naughty lately? If so, it could be sued by federal, state, and municipal governments resulting in a good ole bona fide Fourth Amendment seizure. Also known as civil forfeiture, the practice has been around for decades. Although once generally limited to suspected drug dealers, with increasing bureaucratic budget shortfalls, its’ becoming widely used by government agencies as a source of department revenue across the nation.

Civil Forfeiture on the Federal Level

Civil forfeiture is codified on the federal level by 18 U.S.C. § 981 (paralleling 18 U.S.C. § 982) and 21 U.S.C. § 881.[1] Essentially, the government initiates civil actions against the property itself, not the owner to remedy a harm, through the fiction of the property’s “guilt.”[2] The result, if your property has been naughty – I.e., involved in or an instrumentality to a crime – it may be seized by the government without its’ owner (you) ever being charged or convicted of a crime. With regards to the guilt or lack thereof of the property’s owner, the Supreme Court ruled that Due Process does not require pre-seizure notice or hearing, and that the innocence of the owner is not a general defense.[3] What’s worse, state and local governments have since jumped on the bandwagon implementing their own form of civil forfeiture laws punishing naughty property by seizing it, selling it for 100% profit, and then incorporating the funds into their general operating budget.

State & Local Civil Forfeiture

Civil Forfeiture on State and Local Levels

Originally the law was designed to give the federal government the authority to seize drug kingpin property used in illegal drug trafficking. For instance, if a drug trafficker was using his private plane or boat to transport narcotics, under the; RICO, Criminal and Drug Forfeiture Acts, the Feds could legally confiscate those items in order to prevent further trafficking. However recently, state and local level civil forfeiture laws have given local police departments the authority to forfeit personal items such as a jewelry, cash, homes and essentially anything else that can be sold. As noted, though the property owners are never charged, local & state agencies can bring action against the item itself leading to nonsensical forfeiture case names such as State of Texas vs. One Gold Crucifix or South Dakota v. Fifteen Impounded Cats.[4]

Here, in State of Texas vs. One Gold Crucifix, the “police confiscated a simple gold cross that a woman wore around her neck after pulling her over for a minor traffic violation.” [5] Since the defendant in civil forfeiture cases is the property itself, the rights of the owner have no bearing on the outcome. As a result, many individuals whose property is confiscated simply choose not to fight due the high costs of legal fees.

Further, one jurisdiction in particular, Philadelphia, PA, engages in the most notorious and aggressive civil forfeiture tactics in the country. Specifically, in a recent case involving a couple whose son was caught selling $40 worth of narcotics outside their family home, Philadelphia authorities sought to confiscate the couple’s entire home, sell it at auction, then retain the profits. As a result, The Institute for Justice has taken on the couples – and others similarly situated – case(s) filing a class action lawsuit seeking an injunction against the City of Philadelphia to halt what it refers to as “violations of rights guaranteed by the Due Process Clause of the Fourteenth Amendment.”

Defenses to Civil Forfeitures

As noted, unless provided by statute, the innocence of the owner is generally not a defense to a civil forfeiture. Even where statutory defenses are available, they are narrowly construed by the courts. [6] For example, “courts may apply an objective standard to determine if the owner should have had knowledge of the property’s illegal use, rather than require proof of actual knowledge.”[7]

In certain situations, owners may be able to argue that if no crime occurred, the government lacks probable cause, “or that the property is not closely enough connected to the crime to be considered an instrumentality or proceeds.”[8] Even where the government is required to return the property seized, it is not liable for any further damages resulting from its confiscation, nor any interest ordinarily accrued on actual forfeited funds.

Proposed changes

On the national level there has been chatter on reforming federal civil forfeiture statutes however not much has been done. There is bi-partisan support for the proposed Civil Asset Forfeiture Reform Act proposed by Tim Walberg (R-Mich) however it faces an uphill battle in the Judiciary Committee.

Currently, North Carolina is the only state in the country that prohibits civil forfeiture unless the owner of the property has been convicted of a crime. A state lawmaker in Virginia, Delegate Mark Cole, is proposing legislation in the 2015 general assembly to curtail current civil forfeiture statutes.[9] Hopefully other lawmakers will catch on as this little known, seemingly secret process is being brought to light.

Now that Its Affecting Many more Americans than Originally Intended . . .

Conclusion

If your property has been naughty or even has the inclination of naughtiness, have a sit down with it and explain the ramifications of its behavior. If that sounds ludicrous, so does the governments rationale for seizing it! My theory is that since this practice was primarily directed at inner-city “drug dealers” many Americans simply didn’t care. Once its pervasiveness started sprawling into suburban America, it now has become a problem that needs reform. It’ll be interesting to see how much government the limited government folks will tolerate once their loved ones and neighbors are affected.

I’ve always wanted to invent my own brand of soda called Peepsi! However, I’m positive I’d get a cease and desist letter for trade name infringement from Pepsi before I could screw the cap on my first bottle. Although there is a difference between Peepsi and Pepsi, the consumer confusion would likely turn into a winnable trade name infringement case. Generally, infringing on a business’s trade name comes at the expense of a company’s good will it has established over time, in Pepsi’s case, over a century. So let us discuss consumer confusion and trade name infringement.

Consumer Confusion and Trade Name Infringement

In the famous movie “Coming to America” starring Eddie Murphy, John Amos played the role of Cleo McDowell, an entrepreneur who owned McDowell restaurants which eerily resembles McDonalds. In the film, he’s quoted as saying “… me and the McDonald’s people got this little misunderstanding. See, they’re McDonald’s… I’m McDowell’s. They got the Golden Arches, mine is the Golden Arcs. They got the Big Mac, I got the Big Mick. We both got two all-beef patties, special sauce, lettuce, cheese, pickles and onions, but their buns have sesame seeds. My buns have no seeds.” Great fodder for film but in real life this would hardly fly. Specifically, under 15 U.S.C §§ 1051 et seq., also known as the Lanham Act that governs consumer confusion cases, a specific set of guidelines “protects the owner of a federally registered mark against the use of similar marks if such use is likely to result in consumer confusion, or if the dilution of a famous mark is likely to occur.”[1]

Establishing Trade Name Infringement

Typically, in determining whether consumers were unjustly confused to the detriment of an established registered mark, a court will consider seven factors. In consideration of these seven factors, the court uses a balancing test in deciding whether consumer confusion has occurred. The seven major factors a court will use in determining the “likelihood of confusion,”, include (1) the similarity of the plaintiff’s and defendant’s goods or services, (2) the identity of retail outlets or purchasers, (3) the identity of advertising media, (4) the “strength” (for example, inherent distinctiveness) of the trade name, (5) the defendant’s intent, (6) the similarity of the trade names, and (7) the degree of care likely to be used by consumers. [2]

So in our hypothetical case involving Cleo’s McDowell restaurant, first a court will consider the fact that both McDonalds and McDowell’s are in the fast food industry, primarily selling hamburgers, specifically “two all-beef patties, special sauce, lettuce, cheese, pickles and onions.” Being that both entities are selling virtually identical products (minus the seeds), element one will likely go into McDonalds favor.

Second, the court would look at the fact that both restaurants use fast-food outlets to target and serve its customers. If Cleo were operating out of, let’s say a food truck instead of an actual fast-food restaurant, a court might give deference to that fact. However, here, both entities are using similar outlets which would likely serve as another blow to Cleo’s consumer confusion defense.

Third, with regards to identity of the advertising media, presumably McDowell’s advertised primarily through community presence and its logo. As Cleo put it, “McDonalds has the gold arches, while his logo uses the golden arcs.” Here, the logo’s and even the typeface are extremely similar. This form of self-advertising media bears a striking resemblance in both restaurants which would likely land another check in McDonald’s favor.

Fourth, the court would determine the strength of the plaintiff’s own brand. Here, McDonald’s – having been in existence since the 1950’s – would have amassed a significant amount of good will under its brand by now. Though it is unknown how long Cleo McDowell’s franchise has been in existence, it unlikely pre-dates McDonalds.

Fifth, it is unclear that Cleo McDowell’s intent was to purposefully confuse consumers; however a court can and will infer intent by conduct. Specifically, the closeness of the brand, the logo, the type of food sold, the similarity in uniforms and the fact that when Cleo is first confronted by King Jaffe Joffer, he is seen reading a McDonald’s Operation Manual. [3]

Sixth, with regards to the similarity in trade names, a court will take into consideration the use of one’s family name in contrast to an existing trade name. However, courts have held that “the right of an individual to use his or her own name in connection with a business must yield to the need to eliminate confusion in the marketplace.” B.H. Bunn Co. v. AAA Replacement Parts Co., 451 F.2d 1254, 1266 (5th Cir. 1971) (“[O]ne may be forbidden to use even one’s own name, absent other distinctions, if the total effect of using it is to create confusion as to source.”) [4] Here, while Cleo used his family name, unfortunately there simply aren’t enough distinctions between the McDowell’s and McDonald’s brand to distinguish the similarities.

Lastly, in establishing the degree of care likely to be used by consumers, all McDonald’s would need to establish is a “likelihood of confusion” arising from the defendant’s use of the same or similar name.” WSM, Inc. v. Hilton, 724 F.2d 1320, 1325 (8th Cir. 1984). [5] This could be satisfied constructively or literally. For instance, if a customer, on any occasion, entered McDowell’s thinking it was McDonald’s, or attempted to use a McDonald’s coupon, or even referred to Cleo’s “Big Mic” as a “Big Mac” when placing an order, it would likely satisfy the last element. [6]

Conclusion

In conclusion, given the totality of the circumstance resulting from the balancing test, a court would likely determine that Cleo’s restaurant is liable for customer confusion and trade name infringement. So remember that while you’d like your product to be recognized by the masses for what it is, there could be serious confusion for what it isn’t. My personal brand of soda, Peepsi, while specific and individual to me, is unlikely to be easily differentiated by a consumer. This causes consumer confusion and ultimately infringes on Pepsi’s established good will. So if you’re contemplating starting the next big burger franchise called Burger Queen, think again about how consumer confusion and trade name infringement.

[4]REMEDIES FOR TRADE NAME INFRINGEMENT, http://www.fwlaw.com/news/189-remedies-trade-name-infringement (last visited Oct 23, 2014) See Basile S.P.A. v. Basile, 899 F.2d 35, 39 (D.C.Cir. 1990) (limiting right of watch manufacturer to use family name “Basile,” where prior user had obtained trademark over use of the name); Perini Corp. v. Perini Construction, Inc., 915 F.2d 121, 124 (4th Cir. 1990) (limiting second comer’s right to use family name “Perini,” where name had acquired secondary meaning in the construction industry through prior use); B.H. Bunn Co. v. AAA Replacement Parts Co., 451 F.2d 1254, 1266 (5th Cir. 1971) (“[O]ne may be forbidden to use even one’s own name, absent other distinctions, if the total effect of using it is to create confusion as to source.”)

I recently updated my iPhone to the new iOS and like any other software update, new service or application there was a lengthy user agreement that required me to click “OK” before proceeding. Not unlike just about everybody else on the planet, I agreed without actually reading the user agreement in order to proceed. It got me wondering, what exactly is this, and more importantly, what’s in that End User License Agreement (EULA) i just agreed to? Unfortunately, the former is easier to answer than the latter. Specifically, an End User License Agreement is a legal contract between a software application author or publisher and the end user of the software. Just to be clear, a contact is a legally binding agreement which creates an enforceable obligation by law, and a license is simply a grant by the holder of intellectual property to another to exercise a certain privilege.

So What the Hell’s In It?

On the most basic level, an end user license agreement is somewhat similar to a rental agreement where the user agrees to pay for the privilege of using the software. Additionally, in most cases, the end user is also agreeing not to inappropriately copy, alter, or disseminate the software without proper permission. Although, under 17 U.S.C. § 117, an end user is absolutely free to use, archive, re-sale and make backups of any proprietary software he or she has purchased.

More commonly, end user license agreements serve to limit the liability of the application developer in case the software essentially damages your computer, loses your data, or results in your iPhone being “bricked.” Speaking of Apple, it seems to be well settled among actual EULA readers that Apple’s end user license agreements tend to be some of the most far reaching over-broad agreements that exist. For example, Apples EULA for its eBook authoring software contains language restricting an author’s use of any and all content produced using Apple’s software! Huh? Yea, that means Apple essentially dictates what you can and cannot do with your content created by using their software! As Ed Bott noted, “[i]t’s akin to Microsoft trying to restrict what people can do with Word documents, or Adobe declaring that if you use Photoshop to export a JPEG, you can’t freely sell it.”

Everything but the Kitchen Sink!

Like my mother always said, “the devil is in the details,” however application developers and attorneys alike realize no one is likely to sift through those details which results in EULA’s containing so much content and legal jargon that end users simply won’t bother to read it. Often times a company’s end user license agreement is contrary to existing law. For instance, a EULA that restricts a user to making only one back up copy is clearly inconsistent with the rights granted under 17 U.S.C. § 117. Presumably, the lawyers who draft these agreements are fully aware of these conflicts; however, they choose to be cautiously over-broad than restrictively narrow. Take Apple iTunes end user agreement that prohibits “creating nuclear weapons!” Or other notoriously ridiculous EULA clauses like Google Chrome’s insanely pervasive EULA that essentially gives Google ownership rights over everything up to and including your first born child! Read ” …you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.”

Click Here and You’re Ours!

Interestingly enough, the creepiness of mysterious end user license agreements appears to be so ubiquitous that the creators of South Park did a skit on the perils of not reading end user license agreements and the rights you inadvertently relinquish when you “Click Here to Accept!“

Bottom line, unless you’re insanely board or have infinite amounts of time on your hands, chances are you’re unlikely to carve 15 minutes to an hour out of your day to painstakingly analyze EULA’s before enjoying the brand new toy you just downloaded. I would suggest following Ed Bott’s blog who reads EULA’s so the rest of us won’t have to. Additionally, the makers of EULAlyzer have created free software that will scan end user license agreements specifically in search of inconspicuous language which unfairly binds users to unfair terms. Good luck!

Posts navigation

Follow Us!

Disclaimer

The information disseminated in this blog should only be used for informational purposes. This web site is not intended to create, and does not create an attorney-client relationship between you and Attorney Ryan Johnson. If you need or are seeking legal advice it is highly recommended that you consult with a licensed attorney in your area.

Again, none of the information on this web site is intended to constitute, nor does it constitute, any legal advice or guidance. Attorney Johnson makes no warranty, express or implied, about the accuracy or reliability of information at this web site or any other web site to which this site links, or is linked. If you have questions, please call Attorney Ryan Johnson, directly.